Disabling mailbox.org 2FA through password reset

I would like to solicit advice from the community on whether mailbox.org approach to resetting passwords to accounts with 2FA enabled is at all sane.

Basically, if you set up any of their 2FA, your password can be reset if you’re logged into at least one session somewhere (eg. through your local mail client), which will also disable your 2FA. Their response to it is along the lines of if somebody got ahold of your device you got bigger problems on your hand which sounds dismissive.

This is all against the backdrop of the lack of app passwords and the broad amount of places your IMAP password can be used (leaky mail clients, CaldDAV, CalDAV WebDAV, XMPP clients). I’m due for a renewal and this situation has made me look elsewhere.

I dont use mailbox.org but imap shouldn’t be used at all and if they are used for some reason they should be app based passwords not the main account password. Same goes for caldav. It should be a specific app password restricted to the usecase. If that is not the case as you say that is a very bad decision by them generally.

Would you care to elaborate? I understand why one shouldn’t use IMAP with mailbox.org (given it’s the same password that allows bad actors to lock you out of your email account for good), but it reads as if you’re not thrilled about using these standard open protocols alongside app passwords either.

Well exactly as you mentioned plaintext passwords, and no MFA.

Besides even the fact that IMAP also supports unencrypted connections or using outdated SSL.

1 Like

At the risk off veering off topic, do you have suggestion for a contact-sync solution that’s not based on CardDAV?

Unfortunately no. At least not with a privacy preserving product. I really wish I did. If i would I would scream it from the roof. It’s really something I am after. If i had more time I would make it myself.

Personally I stopped syncing it at all. The DAVx5 app works on my nerves.